b'FEDERAL ELECTION COMMISSION\n\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n          FINAL REPORT\n\n\n\n Review of Outstanding Recommendations\n        as of December 2012\n\n\n\n\n          January 2013\n\n\n\n\n      ASSIGNMENT No. OIG -13-01\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\nReport Overview\n\nAs required by the Inspector General Act of 1978, as amended, the Office of Inspector General (OIG)\nis responsible for conducting audits of the Federal Election Commission\xe2\x80\x99s (FEC) programs and\noperations. When the OIG conducts an audit, or supervises an Independent Public Accounting firm\nto perform an audit, the OIG also has the responsibility of tracking audit recommendations and\nperforming audit follow-up work to ensure adequate resolution of audit recommendations. Audit\nfollow-up, to include the timely implementation of audit recommendations, is required by Office of\nManagement and Budget Circular A-50, Audit Followup, as revised, and FEC Directive 50: Audit\nFollow-up.\n\nAlthough management typically provides a semiannual status report to the Commission of their\nprogress concerning outstanding audit recommendations, the official status (open/closed) of audit\nrecommendations is determined by the OIG once the OIG has verified that management has\nadequately implemented the corrective actions to address the audit recommendations. This\ninformation is reported to the Commission and Congress in the OIG\xe2\x80\x99s Semiannual Reports to\nCongress.\n\nThis report provides the Commission with details regarding the:\n\n    \xe2\x80\xa2   OIG\xe2\x80\x99s Audit Follow-up process, see page 2;\n    \xe2\x80\xa2   Quarterly meetings with management to determine the status of outstanding audit\n        recommendations, starting on page 3:\n            a. Audit Follow-up Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program, see page 4;\n            b. Audit of the Commission\xe2\x80\x99s Property Management Controls, see page 4;\n            c. 2010 Follow-up Audit of Privacy and Data Protection, see page 5;\n            d. 2010 Follow-up Audit of Procurement and Contract Management, see page 5; and\n            e. Inspection of FEC\xe2\x80\x99s Kastle Key Program, see page 6.\n\nFor this review period, the OIG reviewed five audits/inspections that had a total of 127\nrecommendations that were outstanding for six months or more. Collectively for three of the five\nassignments, the OIG closed 24 outstanding recommendations based on the OIG\xe2\x80\x99s review of\nmanagement\xe2\x80\x99s implementation of corrective action. However, the OIG\xe2\x80\x99s review determined that\nmanagement\xe2\x80\x99s efforts to date do not adequately address the audit recommendations and all open audit\nrecommendations reported in the OIG\xe2\x80\x99s June 2012 report for the 2010 Follow-up Audit of Privacy\nand Data Protection and the 2010 Follow-up Audit of Procurement and Contract Management\nremain outstanding.\n\n\n\n\n                                                  1\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\nAudit Follow-up Process\n\nAt the conclusion of each audit, it is management\xe2\x80\x99s responsibility to develop a corrective action plan\n(CAP). The CAP identifies the plan management has developed to address the audit findings. The\nCAP should detail the following:\n\n   1.   assignment of Audit Follow-up Official (AFO);\n   2.   audit finding(s);\n   3.   audit recommendation(s);\n   4.   corrective action to implement the audit recommendation(s);\n   5.   staff person with responsibility to implement each task; and\n   6.   expected completion dates.\n\nOnce management drafts the CAP, the OIG then reviews their CAP and provides comments to\nmanagement regarding the sufficiency of their planned corrective actions to address the audit\nfindings. Management reviews the OIG\xe2\x80\x99s comments, finalizes the CAP, and then provides the final\nCAP to the Commission with a courtesy copy to the OIG.\n\nFEC Directive 50 requires management to:\n\n        \xe2\x80\x9c(3) Conduct regular meetings with the Inspector General throughout the year to follow-up\n        on outstanding findings and recommendations, and include reports of these meetings in the\n        written corrective action plan and semi-annual reports required to be presented to the\n        Commission;\xe2\x80\xa6\xe2\x80\x9d\n\nIn order to work effectively with FEC management in adhering to Directive 50, and to ensure\ncontinuous monitoring and adequate and timely audit resolution, the OIG revamped our follow-up\nprocess to include quarterly meetings with management to discuss the progress of outstanding audit\nrecommendations. The OIG is reporting semiannually (June & December) to the Commission on\nrecommendations that the OIG has closed (if any) based on follow-up reviews. The quarterly\nmeetings are also intended to assist the audit follow-up official in following provisions 4 through 6 of\nDirective 50, which are listed below:\n\n        \xe2\x80\x9c(4) Respond in a timely manner to all audit reports;\n         (5) Engage in a good faith effort to resolve all disagreements; and\n         (6) Produce semi-annual reports that are submitted to the agency head.\xe2\x80\x9d\n\n\n\n\n                                                   2\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\nQuarterly Meetings\n\nIn the OIG\xe2\x80\x99s June 2012 report on the review of outstanding audit recommendations, there were four\nOIG audits with a total of 112 1 outstanding audit recommendations. Since our June 2012 report, the\nInspection of the FEC\xe2\x80\x99s Kastle Key Program was added to the audit follow-up process because there\nare recommendations that have been outstanding for more than six months from the inspection\ncompletion date of December 2011. To discuss the current status and progress of each outstanding\nrecommendation, the OIG held separate meetings with the applicable audit follow-up official and/or\nmanagement staff for each audit/inspection. Out of the five follow-up reviews, the OIG was able to\nclose several outstanding recommendations for three of the five audits/inspection: (1) Audit Follow-\nup Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program; (2) Audit of the Commission\xe2\x80\x99s Property\nManagement Controls; and (3) Inspection of the FEC\xe2\x80\x99s Kastle Key Program.\n\nAlthough several recommendations were closed for three assignments, further corrective action from\nmanagement is still needed to implement the remaining outstanding recommendations. In addition,\nno issues were closed for the 2010 Follow-up Audit of Procurement and Contract Management and\nthe 2010 Follow-up Audit of Privacy and Data Protection. See table below for a summary of progress\nmade by FEC management and the outstanding recommendations as of December 2012.\n\n                            Outstanding Audit Recommendations Status Table\n\n                                            Total\n             Title of OIG\n                                        Outstanding              Total        Total Open         Report\n           Audits/Inspection\n                                      Recommendations          Closed per        as of           Release\n                                       As of June 2012            OIG       December 2012         Date\n      Audit Follow-up Review of\n      the FEC\xe2\x80\x99s Employee Transit              25                  10               15            7/2009\n      Benefit Program\n      Audit of the Commission\xe2\x80\x99s\n      Property Management                     20                  62               14            3/2010\n      Controls\n      2010 Follow-up Audit of                 38                   0               38            3/2011\n      Privacy and Data Protection\n      2010 Follow-up Audit of\n      Procurement and Contract                29                   0               29            6/2011\n      Management\n      Inspection of the FEC\xe2\x80\x99s\n                                              15                   8                7            12/2011\n      Kastle Key Program\n\n\n\n\n1\n  The number (112) of outstanding recommendations includes recommendations that management has disagreed with the\nOIG. These recommendations remain open based on further improvement needed by management for the overall program\nand/or the OIG believes the recommendation is essential to fixing the weakness and should be implemented.\n2\n  The OIG researched the Internal Revenue Service regulation for finding 1j, and noted that agency issued mobile devices\nare no longer labeled as \xe2\x80\x9clisted property\xe2\x80\x9d which makes the recommendation no longer applicable based on the revised\nregulations. See further explanation on page 5.\n\n                                                           3\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\n\nA.      Audit Follow-up Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program\n\nDuring the quarter ending September 30, 2012, OIG met with the Transit Program Manager on\nseveral occasions to obtain and review documentation related to some of the outstanding\nrecommendations. Based on OIG\xe2\x80\x99s review of supporting documentation and follow-up work\nperformed, we were able to close 10 of the 25 outstanding recommendations.\n\nThe OIG notes that nine (9) of the remaining fifteen (15) outstanding recommendations are tied to the\nissuance of a revised Commission Directive 54 on the transit benefit program. The OIG reviewed the\nfinal draft of Directive 54 and provided comments to the Transit Program Manager before it was\nsubmitted to the Commission for approval. In January 2013, the revised Directive 54 was approved\nand issued to FEC staff. The OIG plans to review the final directive to verify the actions and the\nrelated recommendations can be closed.\n\nB.      Audit of the Commission\xe2\x80\x99s Property Management Controls\n\nThe Audit of the Commission\xe2\x80\x99s Property Management Controls (Property Audit) audit report was\nreleased in March 2010. The OIG has worked with the Administrative Services Division (ASD)\nManagers 3 and the Deputy Chief Information Officer of Operations (Deputy CIO) to receive any\nupdates regarding the implementation of audit recommendations. The responsibility of implementing\nthe audit recommendations is shared by the Administrative Services Division and the Office of\nInformation Technology (OIT).\n\nThe Property Audit report identified 36 audit recommendations to improve the controls over FEC\xe2\x80\x99s\nproperty. ASD is responsible for 10 of the 36 audit recommendations that relate to the FEC\xe2\x80\x99s\nmanagement controls over government vehicles and charge (fuel) cards. In the OIG\xe2\x80\x99s June 2012\nOutstanding Recommendations report, ASD had 6 open recommendations regarding the Property\nAudit. During the latest audit follow-up meeting with ASD, the OIG reviewed supporting\ndocumentation and processes implemented to address the 6 open recommendations. The OIG\xe2\x80\x99s\nreview concluded that 5 of the 6 open recommendations were adequately implemented. Although the\nOIG could not close all 6 open recommendations, the ASD manager\xe2\x80\x99s consistent progress in\nimplementing corrective actions provides the OIG with assurance that the remaining open\nrecommendation will be fully implemented in the near future.\n\nThe Office of Information Technology is responsible for implementing 26 of the 36 outstanding audit\nrecommendations that relate to the FEC\xe2\x80\x99s management controls over mobile devices (Blackberry\nphones). The OIG\xe2\x80\x99s June 2012 report identified 14 outstanding audit recommendations; 12\nrecommendations had already been closed as of June 2012. The OIG held an audit follow-up meeting\nwith the CIO and Deputy CIO to discuss the progress that ITD has made in implementing the 14\noutstanding recommendations. However, ITD has not implemented corrective action for any of the 14\noutstanding recommendations. Further, during the audit follow-up meeting, it was noted that\nmanagement decided to disagree with recommendation 1h, Document the ITD re-authorization\n\n3\n The OIG has worked with one acting ASD manager and two permanent ASD managers since the completion of the\nProperty audit due to frequent turnover in this position.\n\n                                                      4\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\nprocess of PCD users in ITD\xe2\x80\x99s Policy 58-4.4, a recommendation management initially agreed to\nimplement.\n\nPrior to management changing their response to disagree with recommendation 1h, management\xe2\x80\x99s\nPolicy 58-4.4 was updated to state the following:\n        \xe2\x80\x9cThe approval authority must re-authorize approved PCD users under their cognizance via e-mail to\n        OCIO. The OCIO will maintain the file of authorized PCD users and re-authorizations.\xe2\x80\x9d\n\nHowever, ITD has not been in compliance with their policy to require users to have their use of\nagency devices reauthorized. Management now believes that a reauthorization process would be\nredundant with other ITD processes of recording devices and maintaining email requests for devices.\nHowever, based on test results from the OIG\xe2\x80\x99s initial audit, the OIG believes that if this\nrecommendation is implemented, and mangers/supervisors have the opportunity to annually assess\ntheir staffs\xe2\x80\x99 use and/or need for Blackberry devices, there is potential cost savings to the agency.\n\nIn addition, the OIG researched the Internal Revenue Service (IRS) guidance regarding the use of\nagency issued mobile devices (cell phones) in relation to recommendation 1j, which states: \xe2\x80\x9cFEC\nshould adhere to the IRS regulations and revise program policies to reflect those regulations.\xe2\x80\x9d The\nOIG identified that the IRS has issued Notice 2011-72 4 . In this notice, the IRS has removed cell\nphones provided for business purposes from \xe2\x80\x9clisted property\xe2\x80\x9d and the substantiation requirements for\nidentifying business versus personal use is no longer applicable. Therefore, the OIG has closed\nrecommendation 1j, based on the revised IRS regulations.\n\nC.      2010 Follow-up Audit of Privacy and Data Protection\n\nFor the Privacy and Data Protection Audit, the OIG\xe2\x80\x99s June 2012 Review of Outstanding Audit\nRecommendations report identified 38 open recommendations. During the OIG\xe2\x80\x99s recent audit follow-\nup meeting, management provided support for 4 (2a, 4c, 6a, and 8d) of the 38 open\nrecommendations. The OIG reviewed the information provided and concluded that the support\nprovided for the recommendations was not sufficient and did not adequately address the audit issues.\nHowever, for recommendation 6a, Modify the Federal Election Commission Mobile Computing\nSecurity Policy, 58-4, to require all mobile devices, including Blackberry devices, be encrypted, ITD\nhas noted that they are currently working on changing the FEC\xe2\x80\x99s current system that captures\nencryption information for FEC devices. ITD anticipates the new system will have the capability to\nprovide the necessary information to document that all devices are encrypted.\n\nD.      2010 Follow-up Audit of Procurement and Contract Management\n\nThe OIG held a quarterly meeting on October 5, 2012 with the outgoing Chief Financial Officer\n(CFO), the Accounting Officer, and the new Procurement Director. The purpose of the meeting was\nfor OIG to obtain a status update of the outstanding audit recommendations for the 2010 Follow-up\nAudit of Procurement and Contract Management. During the meeting, the (former) CFO stated that\nall 29 5 recommendations were still open, but that progress is now being made since the new\n4\n http://www.irs.gov/pub/irs-drop/n-11-72.pdf\n5\n Out of the 29 recommendations, there is one recommendation management has disagreed with the OIG, and does not\nplan to implement any corrective action.\n\n                                                        5\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nDecember 2012 Report\n\nProcurement Director is on board. OIG notes that the Procurement Director position was filled in\nJune 2012. The Procurement Director stated that she was in the process of reviewing and updating\nthe corrective action plan to reflect progress made and actions planned to address the audit\nrecommendations. The Procurement Director stated that she needed more time and requested that we\nschedule another meeting to discuss the CAP once it was updated.\n\nThe OIG met with the Procurement Director on November 15, 2012 and was informed that she had\nbeen busy with other priorities and has not had time to complete the CAP. The OIG gave the\nProcurement Director guidance on how to report on the status of open recommendations to be\nincluded in the November 2012 semiannual CAP report to the Commission. An updated CAP was\nreceived by OIG on November 21, 2012. Based on our review of the revised CAP, all 29\nrecommendations are still open. However, OIG notes that partial corrective action has been made to\naddress some of OIG\xe2\x80\x99s recommendations to ensure compliance with contracting regulations. OIG\nwill verify the new and/or planned procurement policies and procedures once they have been fully\nimplemented.\n\nE.     Inspection of the FEC\xe2\x80\x99s Kastle Key Program\n\nThe OIG held the first follow-up meeting with the Administrative Services Division (ASD) for the\nInspection of the FEC\xe2\x80\x99s Kastle Key Program to review their progress in implementing the\noutstanding recommendations. Although management agreed with 14 of the 15 recommendations in\nthe inspection report, management\xe2\x80\x99s CAP provided corrective action for all 15 recommendations.\nThe OIG\xe2\x80\x99s review noted that 6 of the 15 recommendations remained open, and the majority of these\nrecommendations are open because ASD\xe2\x80\x99s revised Kastle Key policy was still in draft at the time of\nour review. However, the OIG did review the draft policy, provided comments, and the Kastle Key\npolicy has since been finalized and issued to FEC staff. The OIG will review the open\nrecommendations and final policy during our next follow-up review and it is anticipated\nrecommendations will be closed.\n\nIn addition, the OIG reviewed one recommendation regarding ASD\xe2\x80\x99s data that is processed in the\nKastle key system by the Kastle key administrators. This recommendation could not be closed as the\nOIG noted that the data entered in the Kastle key system did not always reflect what was documented\nin the Kastle key request form by the user. ASD noted that these errors potentially occurred due to a\ndifference in data entry processes by the two administrators. Therefore, this recommendation remains\nopen. However, the remaining 8 recommendations were all closed by the OIG due to adequate\nimplementation of the corrective actions by management.\n\n\n\n\n                                                  6\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'